Backdoor.Sdbot.T is a backdoor trojan that allows hackers to remotely access infected machines via IRC channels.
Virus Name: Backdoor.Sdbot.T
Species: Trojan / Date appeared on 18/4/2004
Describe
When Backdoor.Sdbot.T is enabled, it performs the following tasks:
- Self-clone with the name % System% kgzgjkpcw.exe and % System% zonealarm.exe The system directory, by default, will be C: WindowsSystem (Windows 95/98 / Me), C: WinntSystem32 (Windows NT / 2000), or C: WindowsSystem32 (Windows XP).
- Terminate the following processes:
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com Netstat.exe
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com Msconfig.exe
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com Regedit.exe
- Add value " Winsock2 driver "=" kgzgjkpcw.exe on the registry keys:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindows
CurrentVersionRunOnce
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionRun
- Add value " Winsock2 driver = "ZONEALARM.EXE to the registry key:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindows
CurrentVersionRunOnce
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionRun
Use your own IRC client to connect to a specific IRC channel and wait for the following command:
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. xx77 i /
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. Control the IRC client in the infected computer
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com Transfer network and system information to the author of the Trojan
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. Download and execute the file
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com Record keystrokes
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com Run the HTTP server
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com Process management
1 AzSoft_watermark_small.png cong-nghe? P = 1 en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label: Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com. com Denial of service attacks (DoS)
& nbsp;